Tools for Quantifying Risk Exposure are Few
I found this excellent article from Information Security Resources on the availability of tools for quantifying risk exposures. I thought those of you involved in Risk Management and Risk Analysis will find it informative. Below is an excerpt from the story. You can read the entire story by following the link at the bottom if this post:
“In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk.
I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.
For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations.
Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.
However, the recent past demonstrates that no organization is really immune to a potential data breach incident.
The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.
This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.
We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk.
Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.”
To read the rest of the story, from Information Security Resources, please click the link below:
Shared via AddThis